Filtering Traffic with Snort
There are two methods of limiting the source of traffic that Snort processes. You can create BPF (Berkeley Packet Filter) statements, which Snort uses to restrict the source of traffic it will process. Alternatively, you can configure the network variables in the Snort configuration file to limit traffic Snort processes.
Restricting the amount of traffic Snort must process naturally reduces the amount of work Snort has to do. If there are hosts that do not need intrusion detection coverage, you can filter them out with BPFs or network variables. These filtering methods can be used to ignore a host or range of hosts that are creating too much false positive noise.
Network Variables
Configuring Snort's network variables ...
Get Intrusion Detection with Snort now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
